| @@ -1,56 +1,59 @@ | | | @@ -1,56 +1,59 @@ |
1 | # $NetBSD: t_ipsec_natt.sh,v 1.1 2018/12/25 03:54:44 knakahara Exp $ | | 1 | # $NetBSD: t_ipsec_natt.sh,v 1.2 2018/12/26 08:59:41 knakahara Exp $ |
2 | # | | 2 | # |
3 | # Copyright (c) 2018 Internet Initiative Japan Inc. | | 3 | # Copyright (c) 2018 Internet Initiative Japan Inc. |
4 | # All rights reserved. | | 4 | # All rights reserved. |
5 | # | | 5 | # |
6 | # Redistribution and use in source and binary forms, with or without | | 6 | # Redistribution and use in source and binary forms, with or without |
7 | # modification, are permitted provided that the following conditions | | 7 | # modification, are permitted provided that the following conditions |
8 | # are met: | | 8 | # are met: |
9 | # 1. Redistributions of source code must retain the above copyright | | 9 | # 1. Redistributions of source code must retain the above copyright |
10 | # notice, this list of conditions and the following disclaimer. | | 10 | # notice, this list of conditions and the following disclaimer. |
11 | # 2. Redistributions in binary form must reproduce the above copyright | | 11 | # 2. Redistributions in binary form must reproduce the above copyright |
12 | # notice, this list of conditions and the following disclaimer in the | | 12 | # notice, this list of conditions and the following disclaimer in the |
13 | # documentation and/or other materials provided with the distribution. | | 13 | # documentation and/or other materials provided with the distribution. |
14 | # | | 14 | # |
15 | # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS | | 15 | # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS |
16 | # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | | 16 | # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
17 | # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | | 17 | # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
18 | # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | | 18 | # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
19 | # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | | 19 | # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
20 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 20 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
21 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 21 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
22 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 22 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
23 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 23 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
24 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 24 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
25 | # POSSIBILITY OF SUCH DAMAGE. | | 25 | # POSSIBILITY OF SUCH DAMAGE. |
26 | # | | 26 | # |
27 | | | 27 | |
28 | SOCK_LOCAL=unix://ipsec_natt_local | | 28 | SOCK_LOCAL_A=unix://ipsec_natt_local_a |
| | | 29 | SOCK_LOCAL_B=unix://ipsec_natt_local_b |
29 | SOCK_NAT=unix://ipsec_natt_nat | | 30 | SOCK_NAT=unix://ipsec_natt_nat |
30 | SOCK_REMOTE=unix://ipsec_natt_remote | | 31 | SOCK_REMOTE=unix://ipsec_natt_remote |
31 | BUS_LOCAL=./bus_ipsec_natt_local | | 32 | BUS_LOCAL=./bus_ipsec_natt_local |
32 | BUS_NAT=./bus_ipsec_natt_nat | | 33 | BUS_NAT=./bus_ipsec_natt_nat |
33 | | | 34 | |
34 | DEBUG=${DEBUG:-false} | | 35 | DEBUG=${DEBUG:-false} |
35 | HIJACKING_NPF="${HIJACKING},blanket=/dev/npf" | | 36 | HIJACKING_NPF="${HIJACKING},blanket=/dev/npf" |
36 | | | 37 | |
37 | setup_servers() | | 38 | setup_servers() |
38 | { | | 39 | { |
39 | | | 40 | |
40 | rump_server_crypto_start $SOCK_LOCAL netipsec ipsec | | 41 | rump_server_crypto_start $SOCK_LOCAL_A netipsec ipsec |
| | | 42 | rump_server_crypto_start $SOCK_LOCAL_B netipsec ipsec |
41 | rump_server_npf_start $SOCK_NAT | | 43 | rump_server_npf_start $SOCK_NAT |
42 | rump_server_crypto_start $SOCK_REMOTE netipsec ipsec | | 44 | rump_server_crypto_start $SOCK_REMOTE netipsec ipsec |
43 | rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL | | 45 | rump_server_add_iface $SOCK_LOCAL_A shmif0 $BUS_LOCAL |
| | | 46 | rump_server_add_iface $SOCK_LOCAL_B shmif0 $BUS_LOCAL |
44 | rump_server_add_iface $SOCK_NAT shmif0 $BUS_LOCAL | | 47 | rump_server_add_iface $SOCK_NAT shmif0 $BUS_LOCAL |
45 | rump_server_add_iface $SOCK_NAT shmif1 $BUS_NAT | | 48 | rump_server_add_iface $SOCK_NAT shmif1 $BUS_NAT |
46 | rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_NAT | | 49 | rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_NAT |
47 | } | | 50 | } |
48 | | | 51 | |
49 | setup_ipsecif() | | 52 | setup_ipsecif() |
50 | { | | 53 | { |
51 | local sock=$1 | | 54 | local sock=$1 |
52 | local ifid=$2 | | 55 | local ifid=$2 |
53 | local src_ip=$3 | | 56 | local src_ip=$3 |
54 | local src_port=$4 | | 57 | local src_port=$4 |
55 | local dst_ip=$5 | | 58 | local dst_ip=$5 |
56 | local dst_port=$6 | | 59 | local dst_port=$6 |
| @@ -283,130 +286,211 @@ check_tcp_com_over_ipsecif() | | | @@ -283,130 +286,211 @@ check_tcp_com_over_ipsecif() |
283 | extract_new_packets $bus > $outfile | | 286 | extract_new_packets $bus > $outfile |
284 | $DEBUG && cat $outfile | | 287 | $DEBUG && cat $outfile |
285 | atf_check -s exit:0 \ | | 288 | atf_check -s exit:0 \ |
286 | -o match:"${nat_from_ip}\.$nat_from_port > ${nat_to_ip}\.${nat_to_port}: UDP-encap" \ | | 289 | -o match:"${nat_from_ip}\.$nat_from_port > ${nat_to_ip}\.${nat_to_port}: UDP-encap" \ |
287 | cat $outfile | | 290 | cat $outfile |
288 | atf_check -s exit:0 \ | | 291 | atf_check -s exit:0 \ |
289 | -o match:"${nat_to_ip}\.${nat_to_port} > ${nat_from_ip}\.${nat_from_port}: UDP-encap" \ | | 292 | -o match:"${nat_to_ip}\.${nat_to_port} > ${nat_from_ip}\.${nat_from_port}: UDP-encap" \ |
290 | cat $outfile | | 293 | cat $outfile |
291 | } | | 294 | } |
292 | | | 295 | |
293 | test_ipsecif_natt_transport() | | 296 | test_ipsecif_natt_transport() |
294 | { | | 297 | { |
295 | local algo=$1 | | 298 | local algo=$1 |
296 | local ip_local=192.168.0.2 | | 299 | local ip_local_a=192.168.0.2 |
| | | 300 | local ip_local_b=192.168.0.3 |
297 | local ip_nat_local=192.168.0.1 | | 301 | local ip_nat_local=192.168.0.1 |
298 | local ip_nat_remote=10.0.0.1 | | 302 | local ip_nat_remote=10.0.0.1 |
299 | local ip_remote=10.0.0.2 | | 303 | local ip_remote=10.0.0.2 |
300 | local subnet_local=192.168.0.0 | | 304 | local subnet_local=192.168.0.0 |
301 | local ip_local_ipsecif=172.16.100.1 | | 305 | local ip_local_ipsecif_a=172.16.100.1 |
302 | local ip_remote_ipsecif=172.16.10.1 | | 306 | local ip_local_ipsecif_b=172.16.110.1 |
| | | 307 | local ip_remote_ipsecif_a=172.16.10.1 |
| | | 308 | local ip_remote_ipsecif_b=172.16.11.1 |
303 | | | 309 | |
304 | local npffile=./npf.conf | | 310 | local npffile=./npf.conf |
305 | local file_send=./file.send | | 311 | local file_send=./file.send |
306 | local algo_args="$(generate_algo_args esp-udp $algo)" | | 312 | local algo_args="$(generate_algo_args esp-udp $algo)" |
307 | local pid= port= | | 313 | local pid= port_a= port_b= |
308 | | | 314 | |
309 | setup_servers | | 315 | setup_servers |
310 | | | 316 | |
311 | export RUMP_SERVER=$SOCK_LOCAL | | 317 | export RUMP_SERVER=$SOCK_LOCAL_A |
312 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 | | 318 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 |
313 | atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 | | 319 | atf_check -s exit:0 rump.ifconfig shmif0 $ip_local_a/24 |
| | | 320 | atf_check -s exit:0 -o ignore \ |
| | | 321 | rump.route -n add default $ip_nat_local |
| | | 322 | |
| | | 323 | export RUMP_SERVER=$SOCK_LOCAL_B |
| | | 324 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 |
| | | 325 | atf_check -s exit:0 rump.ifconfig shmif0 $ip_local_b/24 |
314 | atf_check -s exit:0 -o ignore \ | | 326 | atf_check -s exit:0 -o ignore \ |
315 | rump.route -n add default $ip_nat_local | | 327 | rump.route -n add default $ip_nat_local |
316 | | | 328 | |
317 | export RUMP_SERVER=$SOCK_NAT | | 329 | export RUMP_SERVER=$SOCK_NAT |
318 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 | | 330 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 |
319 | atf_check -s exit:0 rump.ifconfig shmif0 $ip_nat_local/24 | | 331 | atf_check -s exit:0 rump.ifconfig shmif0 $ip_nat_local/24 |
320 | atf_check -s exit:0 rump.ifconfig shmif1 $ip_nat_remote/24 | | 332 | atf_check -s exit:0 rump.ifconfig shmif1 $ip_nat_remote/24 |
321 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 | | 333 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 |
322 | | | 334 | |
323 | export RUMP_SERVER=$SOCK_REMOTE | | 335 | export RUMP_SERVER=$SOCK_REMOTE |
324 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 | | 336 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 |
325 | atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24 | | 337 | atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24 |
326 | atf_check -s exit:0 -o ignore \ | | 338 | atf_check -s exit:0 -o ignore \ |
327 | rump.route -n add -net $subnet_local $ip_nat_remote | | 339 | rump.route -n add -net $subnet_local $ip_nat_remote |
328 | | | 340 | |
329 | # There is no NAT/NAPT. ping should just work. | | 341 | # There is no NAT/NAPT. ping should just work. |
330 | check_ping_packets $SOCK_LOCAL $BUS_NAT $ip_local $ip_remote | | 342 | check_ping_packets $SOCK_LOCAL_A $BUS_NAT $ip_local_a $ip_remote |
| | | 343 | check_ping_packets $SOCK_LOCAL_B $BUS_NAT $ip_local_b $ip_remote |
331 | | | 344 | |
332 | # Setup an NAPT with npf | | 345 | # Setup an NAPT with npf |
333 | build_npf_conf $npffile "$subnet_local/24" | | 346 | build_npf_conf $npffile "$subnet_local/24" |
334 | | | 347 | |
335 | export RUMP_SERVER=$SOCK_NAT | | 348 | export RUMP_SERVER=$SOCK_NAT |
336 | atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile | | 349 | atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile |
337 | atf_check -s exit:0 $HIJACKING_NPF npfctl start | | 350 | atf_check -s exit:0 $HIJACKING_NPF npfctl start |
338 | $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show | | 351 | $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show |
339 | | | 352 | |
340 | # There is an NAPT. ping works but source IP/port are translated | | 353 | # There is an NAPT. ping works but source IP/port are translated |
341 | check_ping_packets $SOCK_LOCAL $BUS_NAT $ip_nat_remote $ip_remote | | 354 | check_ping_packets $SOCK_LOCAL_A $BUS_NAT $ip_nat_remote $ip_remote |
| | | 355 | check_ping_packets $SOCK_LOCAL_B $BUS_NAT $ip_nat_remote $ip_remote |
342 | | | 356 | |
343 | # Try TCP communications just in case | | 357 | # Try TCP communications just in case |
344 | check_tcp_com_prepare $SOCK_REMOTE $SOCK_LOCAL $BUS_NAT \ | | 358 | check_tcp_com_prepare $SOCK_REMOTE $SOCK_LOCAL_A $BUS_NAT \ |
| | | 359 | $ip_remote $ip_nat_remote $ip_remote |
| | | 360 | check_tcp_com_prepare $SOCK_REMOTE $SOCK_LOCAL_B $BUS_NAT \ |
345 | $ip_remote $ip_nat_remote $ip_remote | | 361 | $ip_remote $ip_nat_remote $ip_remote |
346 | | | 362 | |
347 | # Launch a nc server as a terminator of NAT-T on outside the NAPT | | 363 | # Launch a nc server as a terminator of NAT-T on outside the NAPT |
348 | start_natt_terminator $SOCK_REMOTE $ip_remote 4500 | | 364 | start_natt_terminator $SOCK_REMOTE $ip_remote 4500 |
349 | echo zzz > $file_send | | 365 | echo zzz > $file_send |
350 | | | 366 | |
| | | 367 | #################### Test for primary ipsecif(4) NAT-T. |
| | | 368 | |
| | | 369 | export RUMP_SERVER=$SOCK_LOCAL_A |
| | | 370 | # Send a UDP packet to the remote server at port 4500 from the local |
| | | 371 | # host of port 4500. This makes a mapping on the NAPT between them |
| | | 372 | atf_check -s exit:0 $HIJACKING \ |
| | | 373 | nc -u -w 3 -p 4500 $ip_remote 4500 < $file_send |
| | | 374 | # Launch a nc server as a terminator of NAT-T on inside the NAPT, |
| | | 375 | # taking over port 4500 of the local host. |
| | | 376 | start_natt_terminator $SOCK_LOCAL_A $ip_local_a 4500 |
| | | 377 | |
| | | 378 | # We need to keep the servers for NAT-T |
| | | 379 | |
| | | 380 | export RUMP_SERVER=$SOCK_LOCAL_A |
| | | 381 | $DEBUG && rump.netstat -na -f inet |
| | | 382 | export RUMP_SERVER=$SOCK_REMOTE |
| | | 383 | $DEBUG && rump.netstat -na -f inet |
| | | 384 | |
| | | 385 | # Get a translated port number from 4500 on the NAPT |
| | | 386 | export RUMP_SERVER=$SOCK_NAT |
| | | 387 | $DEBUG && $HIJACKING_NPF npfctl list |
| | | 388 | # 192.168.0.2:4500 10.0.0.2:4500 via shmif1:65248 |
| | | 389 | port_a=$($HIJACKING_NPF npfctl list | grep $ip_local_a | awk -F 'shmif1:' '/4500/ {print $2;}') |
| | | 390 | $DEBUG && echo port_a=$port_a |
| | | 391 | if [ -z "$port_a" ]; then |
| | | 392 | atf_fail "Failed to get a traslated port on NAPT" |
| | | 393 | fi |
| | | 394 | |
| | | 395 | # Setup ESP-UDP ipsecif(4) for first client under NAPT |
| | | 396 | setup_ipsecif $SOCK_LOCAL_A 0 $ip_local_a 4500 $ip_remote 4500 \ |
| | | 397 | $ip_local_ipsecif_a $ip_remote_ipsecif_a |
| | | 398 | setup_ipsecif $SOCK_REMOTE 0 $ip_remote 4500 $ip_nat_remote $port_a \ |
| | | 399 | $ip_remote_ipsecif_a $ip_local_ipsecif_a |
| | | 400 | |
| | | 401 | add_sa $SOCK_LOCAL_A "esp-udp" "$algo_args" \ |
| | | 402 | $ip_local_a 4500 $ip_remote 4500 10000 10001 |
| | | 403 | add_sa $SOCK_REMOTE "esp-udp" "$algo_args" \ |
| | | 404 | $ip_remote 4500 $ip_nat_remote $port_a 10001 10000 |
| | | 405 | |
| | | 406 | export RUMP_SERVER=$SOCK_LOCAL_A |
| | | 407 | # ping should still work |
| | | 408 | atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote |
351 | | | 409 | |
352 | export RUMP_SERVER=$SOCK_LOCAL | | 410 | # Try ping over the ESP-UDP ipsecif(4) |
| | | 411 | check_ping_packets_over_ipsecif $SOCK_LOCAL_A $BUS_NAT \ |
| | | 412 | $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 |
| | | 413 | |
| | | 414 | # Try TCP communications over the ESP-UDP ipsecif(4) |
| | | 415 | check_tcp_com_over_ipsecif $SOCK_REMOTE $SOCK_LOCAL_A $BUS_NAT \ |
| | | 416 | $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 |
| | | 417 | |
| | | 418 | #################### Test for secondary ipsecif(4) NAT-T. |
| | | 419 | |
| | | 420 | export RUMP_SERVER=$SOCK_REMOTE |
| | | 421 | $HIJACKING setkey -D |
| | | 422 | $HIJACKING setkey -DP |
| | | 423 | |
| | | 424 | export RUMP_SERVER=$SOCK_LOCAL_B |
353 | # Send a UDP packet to the remote server at port 4500 from the local | | 425 | # Send a UDP packet to the remote server at port 4500 from the local |
354 | # host of port 4500. This makes a mapping on the NAPT between them | | 426 | # host of port 4500. This makes a mapping on the NAPT between them |
355 | atf_check -s exit:0 $HIJACKING \ | | 427 | atf_check -s exit:0 $HIJACKING \ |
356 | nc -u -w 3 -p 4500 $ip_remote 4500 < $file_send | | 428 | nc -u -w 3 -p 4500 $ip_remote 4500 < $file_send |
357 | # Launch a nc server as a terminator of NAT-T on inside the NAPT, | | 429 | # Launch a nc server as a terminator of NAT-T on inside the NAPT, |
358 | # taking over port 4500 of the local host. | | 430 | # taking over port 4500 of the local host. |
359 | start_natt_terminator $SOCK_LOCAL $ip_local 4500 | | 431 | start_natt_terminator $SOCK_LOCAL_B $ip_local_b 4500 |
360 | | | 432 | |
361 | # We need to keep the servers for NAT-T | | 433 | # We need to keep the servers for NAT-T |
362 | | | 434 | |
363 | export RUMP_SERVER=$SOCK_LOCAL | | 435 | export RUMP_SERVER=$SOCK_LOCAL_B |
364 | $DEBUG && rump.netstat -na -f inet | | 436 | $DEBUG && rump.netstat -na -f inet |
365 | export RUMP_SERVER=$SOCK_REMOTE | | 437 | export RUMP_SERVER=$SOCK_REMOTE |
366 | $DEBUG && rump.netstat -na -f inet | | 438 | $DEBUG && rump.netstat -na -f inet |
367 | | | 439 | |
368 | # Get a translated port number from 4500 on the NAPT | | 440 | # Get a translated port number from 4500 on the NAPT |
369 | export RUMP_SERVER=$SOCK_NAT | | 441 | export RUMP_SERVER=$SOCK_NAT |
370 | $DEBUG && $HIJACKING_NPF npfctl list | | 442 | $DEBUG && $HIJACKING_NPF npfctl list |
371 | # 192.168.0.2:4500 10.0.0.2:4500 via shmif1:65248 | | 443 | # 192.168.0.2:4500 10.0.0.2:4500 via shmif1:65248 |
372 | port=$($HIJACKING_NPF npfctl list | grep $ip_local | awk -F 'shmif1:' '/4500/ {print $2;}') | | 444 | port_b=$($HIJACKING_NPF npfctl list | grep $ip_local_b | awk -F 'shmif1:' '/4500/ {print $2;}') |
373 | $DEBUG && echo port=$port | | 445 | $DEBUG && echo port_b=$port_b |
374 | if [ -z "$port" ]; then | | 446 | if [ -z "$port_b" ]; then |
375 | atf_fail "Failed to get a traslated port on NAPT" | | 447 | atf_fail "Failed to get a traslated port on NAPT" |
376 | fi | | 448 | fi |
377 | | | 449 | |
378 | # Setup ESP-UDP ipsecif(4) for first client under NAPT | | 450 | # Setup ESP-UDP ipsecif(4) for first client under NAPT |
379 | setup_ipsecif $SOCK_LOCAL 0 $ip_local 4500 $ip_remote 4500 \ | | 451 | setup_ipsecif $SOCK_LOCAL_B 0 $ip_local_b 4500 $ip_remote 4500 \ |
380 | $ip_local_ipsecif $ip_remote_ipsecif | | 452 | $ip_local_ipsecif_b $ip_remote_ipsecif_b |
381 | setup_ipsecif $SOCK_REMOTE 0 $ip_remote 4500 $ip_nat_remote $port \ | | 453 | setup_ipsecif $SOCK_REMOTE 1 $ip_remote 4500 $ip_nat_remote $port_b \ |
382 | $ip_remote_ipsecif $ip_local_ipsecif | | 454 | $ip_remote_ipsecif_b $ip_local_ipsecif_b |
| | | 455 | |
| | | 456 | check_ping_packets_over_ipsecif $SOCK_LOCAL_A $BUS_NAT \ |
| | | 457 | $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 |
383 | | | 458 | |
384 | add_sa $SOCK_LOCAL "esp-udp" "$algo_args" \ | | 459 | add_sa $SOCK_LOCAL_B "esp-udp" "$algo_args" \ |
385 | $ip_local 4500 $ip_remote 4500 10000 10001 | | 460 | $ip_local_b 4500 $ip_remote 4500 11000 11001 |
386 | add_sa $SOCK_REMOTE "esp-udp" "$algo_args" \ | | 461 | add_sa $SOCK_REMOTE "esp-udp" "$algo_args" \ |
387 | $ip_remote 4500 $ip_nat_remote $port 10001 10000 | | 462 | $ip_remote 4500 $ip_nat_remote $port_b 11001 11000 |
388 | | | 463 | |
389 | export RUMP_SERVER=$SOCK_LOCAL | | 464 | export RUMP_SERVER=$SOCK_LOCAL_B |
390 | # ping should still work | | 465 | # ping should still work |
391 | atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote | | 466 | atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote |
392 | | | 467 | |
393 | # Try ping over the ESP-UDP ipsecif(4) | | 468 | # Try ping over the ESP-UDP ipsecif(4) |
394 | check_ping_packets_over_ipsecif $SOCK_LOCAL $BUS_NAT \ | | 469 | check_ping_packets_over_ipsecif $SOCK_LOCAL_B $BUS_NAT \ |
395 | $ip_remote_ipsecif $ip_nat_remote $port $ip_remote 4500 | | 470 | $ip_remote_ipsecif_b $ip_nat_remote $port_b $ip_remote 4500 |
| | | 471 | |
396 | | | 472 | |
397 | # Try TCP communications over the ESP-UDP ipsecif(4) | | 473 | # Try TCP communications over the ESP-UDP ipsecif(4) |
398 | check_tcp_com_over_ipsecif $SOCK_REMOTE $SOCK_LOCAL $BUS_NAT \ | | 474 | check_tcp_com_over_ipsecif $SOCK_REMOTE $SOCK_LOCAL_B $BUS_NAT \ |
399 | $ip_remote_ipsecif $ip_nat_remote $port $ip_remote 4500 | | 475 | $ip_remote_ipsecif_b $ip_nat_remote $port_b $ip_remote 4500 |
| | | 476 | |
| | | 477 | # Try ping over the ESP-UDP ipsecif(4) for primary again |
| | | 478 | check_ping_packets_over_ipsecif $SOCK_LOCAL_A $BUS_NAT \ |
| | | 479 | $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 |
| | | 480 | |
| | | 481 | # Try TCP communications over the ESP-UDP ipsecif(4) for primary again |
| | | 482 | check_tcp_com_over_ipsecif $SOCK_REMOTE $SOCK_LOCAL_A $BUS_NAT \ |
| | | 483 | $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 |
400 | | | 484 | |
401 | # Kill the NAT-T terminator | | 485 | # Kill the NAT-T terminator |
402 | stop_natt_terminators | | 486 | stop_natt_terminators |
403 | } | | 487 | } |
404 | | | 488 | |
405 | add_test_ipsecif_natt_transport() | | 489 | add_test_ipsecif_natt_transport() |
406 | { | | 490 | { |
407 | local algo=$1 | | 491 | local algo=$1 |
408 | local _algo=$(echo $algo | sed 's/-//g') | | 492 | local _algo=$(echo $algo | sed 's/-//g') |
409 | local name= desc= | | 493 | local name= desc= |
410 | | | 494 | |
411 | desc="Test ipsecif(4) NAT-T ($algo)" | | 495 | desc="Test ipsecif(4) NAT-T ($algo)" |
412 | name="ipsecif_natt_transport_${_algo}" | | 496 | name="ipsecif_natt_transport_${_algo}" |